Re: [PATCH v4 4/9] cxl/mem: Add basic IOCTL interface
From: Jonathan Cameron
Date: Wed Feb 17 2021 - 04:57:21 EST
On Tue, 16 Feb 2021 10:34:32 -0800
Ben Widawsky <ben.widawsky@xxxxxxxxx> wrote:
...
> > > diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c
> > > index 237b956f0be0..4ca4f5afd9d2 100644
> > > --- a/drivers/cxl/mem.c
> > > +++ b/drivers/cxl/mem.c
> > > @@ -686,7 +686,11 @@ static int cxl_validate_cmd_from_user(struct cxl_mem *cxlm,
> > >
> > > memcpy(out_cmd, c, sizeof(*c));
> > > out_cmd->info.size_in = send_cmd->in.size;
> > > - out_cmd->info.size_out = send_cmd->out.size;
> > > + /*
> > > + * XXX: out_cmd->info.size_out will be controlled by the driver, and the
> > > + * specified number of bytes @send_cmd->out.size will be copied back out
> > > + * to userspace.
> > > + */
> > >
> > > return 0;
> > > }
> >
> > This deals with the buffer overflow being triggered from userspace.
> >
> > I'm still nervous. I really don't like assuming hardware will do the right
> > thing and never send us more data than we expect.
> >
> > Given the check that it will fit in the target buffer is simple,
> > I'd prefer to harden it and know we can't have a problem.
> >
> > Jonathan
>
> I'm working on hardening __cxl_mem_mbox_send_cmd now per your request. With
> that, I think this solves the issue, right?
Should do. Thanks,
Jonathan